A risk is anything that may have a negative impact on achieving your NGO´s mission, goals, objectives and strategies if it becomes reality.
It may have an impact on different levels: the organization as a whole, programs, projects, processes, products, services or stakeholders.
A risk that has become real and is getting closer or is imminent is called a threat.
A threat can have been caused intentionally (e.g. a terrorist threat) or be unintentional (e.g. a drought).
Nonprofit organization face risks that can have their origin in the external environment or inside the organization (graphic 1)
Graphic 1: Sources of risks that a nonprofit may face
Importance of Risk Management
Risk Management process
Risk Management is a systematic process that aims to help organizations of any type to deal with emerging and changing risks.
It involves identifying risks, evaluating them, deciding how to respond and then taking the necessary actions.
The focus of Risk Management could be
- The organization: Organizational risk management
- A project: Project risk management
- Security: Security risk management
- Finances: Financial risk management.
A risk management process is made up of a number of stages which will follow normally more or less this order:
Stage 1: Find sources of risks and recognize risks and threats.
Stage 2: Describe individual risks in a structured form.
Stage 3: Estimate the likelihood and magnitude of risks.
Stage 4: Rank risks according to their significance.
Stage 5: Decide about appropriate responses to risks.
Stage 6: Review the existing risk management system.
Stage 7: Develop plans how to deal with a negative event.
Stage 8: Implement risk focused actions.
Stage 9: Monitor risks.
Stage 10: Communicate about risk related issues regularly
Benefits of Risk Management
Managing risk will increase the probability that a nonprofit organization will survive for a long time and be able to work towards its vision.
This is because risk management
- Increases the probability that the organization with be compliant with laws, regulations and contracts.
- Reduces the exposure of employees to health and security risks.
- Makes organizational processes more efficient due to fewer disruptions.
- Improves planning and decision-making due to a better understanding of the future
- Increases confidence of donors and grant-makers that funding goals and objectives will be met.
Building capacity in Risk Management
There are a number of websites that cover risk management in detail. They should provide all the knowledge needed by the typical NGO to build up its capacity in risk management.
Staff members can learn about the topic from numerous publications downloadable free of charge as well as by participating in webinars.
Examples of external and internal risks
- Change of favorable tax laws and regulations.
- New government regulations.
- Exchange rate changes.
- Social unrest.
- Violent crime.
- Price controls for products that the organization sells to earn income.
- Import restrictions for critical raw materials and components.
Risks in the Micro-environment
- A customer cannot pay his bills.
- An annual donation is cancelled.
- A grant maker changes his priorities.
- Material or energy supplies are interrupted.
- A bank cancels its credit line.
- Local authorities will not support anymore a program financially.
- Parts of a community do not want to cooperate anymore with the organization.
- Another organization offering similar/identical products and services starts to operate in the area where your NGO is located.
Risks inside an organization
- The Executive Director or a staff member with high qualifications leaves.
- Wrong decision-making in a critical situation.
- A staff member does not follow internal guidelines, rules or procedures.
- A staff member does not comply with a law or regulation.
- A project is badly managed.
- Quality issues with products due to poor maintenance of machines and wrong material handling.
- Machine breakdowns.
- Raw materials, components and finished products disappear from the warehouse due to theft.
Examples of external and internal threats
- The Executive Director has resigned and the organization still has not found a suitable replacement.
- Customers have written that they will cancel their contracts if quality issues are not removed immediately.
- A supplier has indicated that he will have to increase sales prices if his input prices do not come down in the next weeks.
- A donor has indicated that he will be reviewing his funding priorities soon.
- A terrorist organization has announced that it will kill all foreigners that do not leave the country within 1 month.
- A new government will be elected in 4 months. A political party which wants to abolish the favorable tax treatment of NGOs will most like win.
- Floods have reached the neighboring town which is not far away from where the NGO operates.
- A financial plan shows that the organization will run out of cash in a few months.
Finding out more about a specific risk (questionnaire)
- Was there exposure to the risk in the past?
- Did the risk turn into something that really happened?
- Why did it happen?
- What were the consequences (e.g. loss of life, loss of income, loss of production time)?
- Which actions were taken in the past to deal with the risk?
- How effective were these actions?
- Who is responsible for managing risks within the organization (e.g. developing policies, implementing improvements, auditing compliance)?
- What is in place to deal with this specific risk?
- Who is responsible for dealing with this specific risk?
- What could happen?
- What could be the motivation of those who are the source of this specific risk?
- What are the means of those who are the source of this specific risk?
- What is the likelihood that it could happen (again)?
- How can the risk be measured?
- What could be the magnitude?
- When could it happen?
- What factors influence the likelihood, magnitude and timescale?
- Who and/or what would be impacted (e.g. staff members, beneficiaries, customers, IT infrastructure, energy supply)?
- What would be the consequences?
- Is everything in place to deal with this risk or are improvements needed?
- Who will be responsible for dealing this specific risk?
Operational side of Risk management: Responsibilities
The head of the organization, a very senior person or the board will normally carry the overall responsibility. He/they will determine the strategic approach and establish the necessary structures.
Heads of departments and project managers will deal with risk within their area of responsibility.
It is up to individual employees to understand and implement risk management and report anything that caused a problem or might pose a risk.
Organizations should also consider nominating someone who conducts internal audits and someone who focuses on the most critical risk issue.
Small organizations might have a part-time risk manager who keeps the risk policy and risk related documents update, while large organization might even have a risk management department.
Sources / Guide to further reading (available online)
European Interagency Security Forum, at: http://www.eisf.eu
The Institute of Risk Management, at: http://www.theirm.org/
Non Profit Risk Management Center, at: http://www.nonprofitrisk.org/
M.Merkelbach, P.Daudin, From Security Management to Risk Management, at: http://www.eisf.eu/resources/library/SMI%20views%20risk%20management%20-%20May%202011.pdf
- The report looks at risk management in aid agencies and includes recommendations how they should move forward. The benchmark is the recently published approach by the International Organization for Standardization (ISO 31000)
European Interagency Security Forum, Introduction to risk management, at: http://www.eisf.eu/resources/library/intro_risk_mgmt.pdf
- The first chapter of a book covering different aspects of risk management. It provides a very detailed introduction to risk management, independent of the type of organization
AIRMIC, Alarm, IRM, A structural approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000, at: http://www.airmic.com/guide/structured-approach-Enterprise-Risk-Management-ERM-requirements-ISO-31000
- The guide to Enterprise Risk Management is based on the input of the main risk management organizations in the UK
CCF National Resource Center, Managing crisis: Risk Management and Crisis Response Planning, at: http://www.acf.hhs.gov/programs/ocs/ccf/ccf_resources/managing_crisis.pdf
- The guidebook has its focus on what could go wrong and how to respond if something goes wrong